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© Offline pin cryptographic validation. 

© A method of offline personal identification in and to a 
muftrterminaJ <kta processing system, the method using an 
authentication tree with a one-way authentication tree func- 
tion, a stored global secret key, a stored global verification 
value of reference, a personal identification number entered 
Arectly by the potential user and a personal key and an index 
position number entered via a card previously issued to the 
potential user, the index position number representing the tree 
path for the user to whom the card was issued, by calculating 
an authentication parameter as a function of the personal key 
and the personal identification number mapping the param- 
eter to a verification value using the index position number in 
the one way function to the root of the tree; comparing the 
verification value obtained by the mapping with the stored 
global venfication value of reference; and enabling the system 
m respect of transaction execution if the comparison meets 
predetermined criteria 
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ONE-WAY FUNCTION MAPPING TWO 56-BIT VALUES TO ONE 56-8IT VALUE 
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This invention is directed to a method of offline per- 
sonal authentication involving a secret user personal iden- 
tification number (PIN), a secret key and other non-secret 
data stored on a customer memory card, and a non-secret 
validation value stored in each terminal connected in a 
network. Typically, the terminals are connected to a bank 
which issues the memory card and the terminals are auto- 
mated teller machines (ATM) or point of sale (POS) termi- 
nals. 

By "memory card", what is meant is a card which 
stores more binary data than currently used magnetic strips 
cards but is distinguished from so-called "smart" cards in 
that it does not incorporate a microprocessor on the card. 

By -offline" is meant the authentication is not part of 
the transaction being authenticated, it is usually a separate 
preliminary operation. 

The problem solved by the subject invention is that of 
authenticating a user of a memory card for electronic funds 
transfer (EFT) systems or point of sale (POS) terminals. 
The subject invention is based on a technique of "tree 
authentication" first suggested by Ralph MerkJe. See for 
example, the following publications: 

Ralph C Merkle, "Secrecy, Authentication and Public 
Key Systems" UMI Research Press, Ann Arbor, Michigan 
19B2. 

Ralph C Merkle, "Secrecy, Authentication and Public 
Key Systems" Technical Report No 1979-1, Information 
Systems Laboratory, Stanford University, June 1979. 

Ralph C Merkle, "Protocols for Public Key Cryp- 
tosystems" Technical Report. BNR, Palo Alto, CA, January 
1980. 

Ralph C Merkle, "Protocols for Public Key Cryp- 
tosystems", Proceedings of the 1980 Symposium on Secu- 
rity and Privacy, 122 - 134 (April 14-16, 1980). 

US Patent No 4,300,569 to Ralph C MerWe for 
"Method of Providing Digital Signatures" discloses a meth- 
od of providing a digital signature for purposes of authen- 
tication of a message. This method utilises an authentication 
tree function or a one-way function of a secret number. 
More specifically, the method according to Merkle provides 
a digital signature of the type which generates a secret 
number xj, where xn , x^, xa, . . ., xj n , computes yi = Ffa) 
and transmits part of X j to the receiver as the digital 
signature. Merkle characterises his invention as providing 
an authentication tree with an authentication tree function 
comprising a one-way function of Y|. The root of the au- 
thentication tree and the authentication tree function are 
authenticated at the receiver. The y* and the corresponding 
authentication path values of the authentication tree are 
transmitted from the transmitter to the receiver. Finally, the 
yi are authenticated at the receiver by computing the au- 
thentication path of the authentication tree between the y, 
and the rest of the authentication tree. 

The Merkle method is specifically intended to be an 
improvement over a public key cryptosystem proposed by 
Diffie et al in "New Directions in Cryptography", IEEE 
Transactions on Information Theory, Volume IT-22, Number 
6, November 1976, pages 644 to 654, as a means to 
implement a digital signature and authenticate the true con- 
tent of a message. In the Diffie et al scheme, to sign a 
message m whose si2e is s bits, it is necessary to compute 

F(xi) = Y tf F(x 2 ) - Y 2 F(x») « Y s . The transmitter 

and receiver would agree on the vector Y - Yl Y 2 , 

Y s . If the jth bit of m was a 1, the transmitter would reveal 
xj; but if the jth bit of m was 0, the transmitter would not 
reveal xj. In essence, each bit of m would be individually 



signed. To avoid the possibility of altering m by the re- 
ceiver, Diffie et al signed a new message m' that was twice 
as long as m and computed by concatenating m with the 
bitwise complement of m. This meant that each bit mj in the 

5 original message was represented by two bits, one of which 
would not be altered by the receiver. 

A major problem of the Diffie et al method addressed 
by Merkle was that it was only practical between a single 
pair of users. Accordingly, Merkle's approach provided a 

to signature system of more general application and which 
rested on the security of a conventional cryptographic func- 
tion. Moreover, Merkle's authentication tree required less 
storage than the Diffie et al method. Merkle showed that n 
values of m bits each could be authenticated on the basis 

15 of only m x tog , (n) bits of non-secret information, where 
"x" denotes multiplication. The one-way function that Mer- 
kle envisioned called for a value of m = 100, although 
that is not significant in terms of the raw algorithm. The 
present invention adapts Merkle's idea of tree authentication 

20 to the area of offline EFT/POS banking. 

It is therefor an object of the present invention to 
provide an improved offline PIN authentication technique 
which is particularly adapted for use in EFT/POS terminate. 
According to the invention, there is provided a method 

25 of offline personal identification in and to a multi-terminal 
data processing system, the method using an authentication 
tree with a one-way authentication tree function, a stored 
global secret key, a stored global verification value of refer- 
ence, a personal identification number entered cTrectry by 

30 the potential user and a personal key and an index position 
number entered via a card previously, issued to the potential 
user, the index position number representing the tree path 
for the user to whom the card was issued, by calculating an 
authentication parameter as a function of the personal key 

35 and the personal identification number; mapping the param- 
eter to a verification value using the index position number 
in the one way function to the root of the tree; comparing 
the verification value obtained by the mapping with the 
stored global verification value of reference; and enabling 

40 the system in respect of transaction execution if the com- 
parison meets predetermined criteria 

As described, an embodiment comprises a method of 
offline personal authentication in a multi-terminal system 
using an improved authentication tree function comprising a 

45 one-way function. A person to be authenticated enters his 
or her PIN and the memory card in a terminal in the murti- - 
-terminal system. The information read from the memory 
card and the PIN are used to calculate an authentication 
parameter. The calculated authentication parameter is then 

50 mapped to a verification value or root of the authentication 
tree using the one-way function. The verification value 
obtained by mapping the calculated authentication param- 
eter is then compared with a global verification value stored 
at the terminal. 

55 In the following description of an embodiment of the 

present invention, a secure method of tree authentication is 
realised with a value of m » 56 with the data encryption 
standard (DES), i.e by making the work factor to break the 
system equivalent to that of DES key exhaustion. More 

60 specifically, if Y„ Y„ . . ., Y „ represents n values to be 
authenticated by the algorithm, then the global non-secret 
verification value is calculated via an algorithm that involves 
all of these n values. With a public key approach, once the 
public and private key pair has been produced, the secret ' 

65 key can be used to generate the appropriate quantity to " 
store on a memory card without any dependency on the 
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parameters stored on other memory cards. That is, if an 
n+ist user is to be added to the list the public and secret 
key pair need not be recalculated; rather, they can be used 
as is to generate the card. But with the DES solution used 
in the subject invention, an n + 1 st list user cannot be added 
to the list without recalculating a new global verification 
value. 

There are ways around this problem. If a bank, for 
example, is willing to assign a new ID to a customer in 
cases when his or her PIN and bank card has been 
compromised, then the original list of n values to be authen- 
ticated could include 10 or 20 percent extra IDs and 
associated values of Y to be authenticated. In that case, 
when a card and PIN are compromised, the ID is invali- 
dated and a new ID is assigned to the customer and a new 
PIN and card are issued using one of the precalculated 
values already available. The old ID is then stored in a "hot 
list" at each terminal, and in the course of authenticating a 
user at a terminal, this "hot list" is checked to make sure 
that the ID being used is not invalid. On the other hand, if 
the bank cannot assign a new ID to a customer, i.e. the ID 
remains fixed for the life of that customer, then there can be 
provided two or more sets of n values and two or more 
global verification values are stored in the terminal. A user 
would be assigned a new PIN and a new card to work off 
the second verification value only if the PIN and card for 
the first verification value have been compromised. In turn, 
the user could get a PIN and card to work off a third 
verification value if the PIN and card for the first two 
verification values have been compromised. Again, a "hot 
list" is checked to make sure that the PIN being used and a 
calculated authentication parameter are not invalid. Yet an- 
other possibility is to have only two sets of values, one 
primary and one secondary. Since there are apt to be very 
few customers that would be issued more than two cards, 
these cases could be handled on an exception basis with 
an authentication table at each ER7POS terminal. The 
table, which might contain a few hundred entries, would 
consist of the user's ID and his authentication parameter, 
the latter of which would be calculated from the user's PIN, 
personal key and non-secret data stored on the card, and 
the global secret key in the terminal 

The method according to the invention also requires a 
large amount of storage on the card to store non-secret 
data required by the authentication algorithm. Roughly, if 
there are 2" customers that require offline authentication, 
then each card must store 56 x n bits of non-secret data 
required by the authentication algorithm. The card must also 
store a 56 bit secret key and an n-brt number representing 
the "path" of the calculation. Note that the amount of data 
stored on the card depends on the number of customers - 
(he. it is dependent on n rather than being independent of 
it). For example, if there are one million customers in the 
bank (roughly equal to 2 20 ), then there are 56 x 20 - 
1120 bits plus a 56-bit key plus a 20-bit "path" required to 
be stored on the card. However, the algorithm has the 
property that the number of bits on the card grows only as 
the log, of the number of customers. Thus, if a bank wants 
to service two million customers, it is only necessary to 
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store an additional 56 bits on the card. With a memory card 
having sufficient storage, the DES approach can be used 
almost as easily as a public key approach. The Rrvest, 
Shamir and Adleman (RSA). public key algorithm, for exam- 
ple, would require a 400-bit value to be stored on the card. 
This is less than the 1200 or 1300 bits called for by the 
method according to the present invention, but it is large 
enough to also require a memory card. In other- words, the 
public key approach can not use the present magnetic 
strips card either. The approach taken by the present inven- 
tion has the advantage of offering an alternative to public 
key and is based on the proven strength of the DES. 

The present invention win be described further by way 
of example with reference to the aforesaid preferred em- 
bodiment of the invention as illustrated in the accompanying 
drawings, in which: - 

Figure 1 is a block diagram illustrating the one-way function 
mapping of two 56-bit values to one 56-bit value; 

Figure 2 is a simple illustrative example of three tables of- 
authentication parameters; 

Figure 3 is similar to Figure 2 but shows the manner in 
which values are selected from the three tables to be stored 
on a customer's memory card; and 



Figure 4 is a flow diagram illustrating the operation of the 
offline PIN validation of this particular embodiment of the 
30 invention. 



Consider first the question of PIN secrecy. Let the 
encrypted PIN (denoted EPIN) to be calculated as in Equa- 
tion 1. 

EPIN « EKQbi(EptN(ID)) (1) 

where PIN is the entered PIN, ID is the user identifier, 
and KGbi is a global secret key stored in each EFT/POS 
terminal. Let the authentication parameter AP be calculated 
as in Equation 2. 

AP » Right56[EKP©EPIN(ID) 9 ID] (2) 

where KP is the user's personal key stored on the 
card, the symbol *•" represents an Exclusive OR opera- 
tion, and "Right56" is a function that extracts the rightmost 
56 bits in the binary variable denoted by the argument of 
the function. Equation 2 uses EPIN instead of PIN so that 
the PIN cannot be derived via trial and error at electronic 
speeds from a lost or stolen- card using the public verifica- 
tion value in the EFT/POS terminal From Equation 2, it is 
apparent that a new PIN can be issued merely by calculat- 
ing a new EPIN using Equation 1, calculating a new KP via 
the Equation KPnew - EPIN,** e KP oW o EPINc*,, and 
reissuing a new card with the new value of KP, La KPoew 
written on the card. 

The method of tree authentication makes use of a 
binary tree. In a tree with 2" final elements or "leaves", 
there are 2 n different "paths" from the root of the tree to 
each final leaf and therefore n transitions between levels. A 
tree with n ■ 3 is shown below. 
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level 3 X X X X 
level 2 X X 

level 1 x 
level 0 x 



X X 
X 



X X 
X 
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If the left branch is denoted by "0" and the right 
branch by "1", then the tree looks like this: 



Index Position 



level 3 
level 2 
level 1 
level 0 



000 



m 
i 



010 011 

0 1 
1 



100 



101 
1 



110 111 
0 1 
1 



The "path" followed in the tree can be represented as 
a string of "Vs" and "0's". For example, starting from the 
root if we go up . to a left branch, then to a right branch, 
and then to a right branch again, the path is given by the 
number 011. H, on the other hand, we go up to a right 
branch, and then to a right branch again, and then up to a 
left branch, the path is given by the number 1 10. Thus, the 

numbers 000. 001 11 describe the eight paths in 

this binary tree. It should be apparent that these path 
numbers also represent the index positions, in binary num- 
bers, of the values at the highest level of the tree. The 
index position always starts from level zero. 

Now, it is assumed that the problem to be resolved is 
to calculate a single non-secret verification value V from a 
set of n predefined authentication parameters PA 0, AP f , 
AP„ . . AP„. Suppose for the sake of this example that 
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tog^n) = 20, he. that there are 2 20 « 1,058,576 
customers. Note that one can always fin in the tree with 
dummy entries if need be; that is, where the number of 
customers is not equal to 2 1 for some integer L The n 
values of AP are mapped to a single root value using a 
one-way function that involves log,(n) iterations. At the first 
iteration, the n = 1,048,576 values are mapped to 
524,388 values, the second iteration maps 524,288 values 
to 262,144 values, and so on until the 20th iteration maps 
two values to one value. Each application of the one-way 
function maps two 56-bit values (denoted Y Wt and Y^) 
to a single 56-bit value (denoted Y new ) as illustrated in 
Figure 1. A suitable one-way function that maps Yiett and 
Yright to Y new i$ given by Equation 3. 



RightS6 [Y 



left 



3 Right56[Ci] (Y left )] 



R ight56[Y r . ght S E u( Y right , 

where Ci is a 64-bit variable computed using Equation 
4 given hereinafter. At the first iteration. Equation 3 is used 
to map AP0, AP, and a unique codeword C to Y^; Le. 
Yieft is AP 0 and Y rig ht is AP,. This output Ynew may be 55 
denoted AP0„ Then, AP» AP, and a different codeword C 
are mapped to AP„, using Equation 3. and so forth. At the 
second iteration, AP0„ AP„ 3 and yet a different codeword 
C are mapped to AP0„,„ using Equation 3, and so forth. ♦ 
The operations are fairly simple and straightforward. In all, so 
there are n-1 calculations involving Equation 3. The final 
56-bit value so produced is stored in each EFT/POS termi- 
nal and is used as a global verification value V. 

In the example where ri i - 2 20 , the 1,048,576 values 
of AP, namely AP0 If AP,,,, . . AP^^, which are 65 
produced at the first iteration in that order, are stored in a 
table at a next level designated Table 19; the 262,144 
values AP0, in , AP^j,*,;. . . ., AP,«u0, 2*3 ww, wm* 



- V (3) 
new 



which are produced at the second iteration in that order, are 
stored in a table at a next level designated Table 18; and 
so on. Thus, the values in Table 20 are processed sequen- 
tially using the mapping in Equation 3 to produce the values 
in Table 19. The values in Table 19 are processed sequen- 
tially also using the mapping in Equation 3 to produce the 
values in Table 18, and so on. 

In a simple example where n ■ 3, only three tables 

would be required. The values AP0AP , AP 7 would be 

stored in Table 3; the values AP0 „ AP„„ AP*,* and AP*, 
would be stored in the table at the next level, namely, Table 
2; and the values AP0.i,2 ( 3 and AP*,..,, would be stored 
in the table at the next level, namely Table 1, as shown in 
Figure 2. 
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Each customer is issued a PIN and a bank card on 
which is recorded a user identifier ID, a unique secret 
personal key KP. and other information including information 
that allows a verification value V to be calculated from that 
customer's authentication parameter AP. The customer's 5 
AP value is a function of PIN, KP, ID, and KGbi as 
described above, and is calculated via Equations 1 and 2. 
In the example given in Figure 2 where n » 3, the other 
information stored on the bank card necessary to allow a 
verification value V to be calculated would consist of a 56- 70 
-bit value selected from each of the three tables, i.e. Table 
1, Table 2 and Table 3. and a 3-bit index position of the 
customer's AP value in Table 3. 

The rule for determining which 56-bit values must be 
selected from Tables 1, 2 and 3 for storage on the bank 75 
card depends on the index position of AP in Table 3. If. for 
example. AP, is the authentication parameter to be authen- 
ticated, then the 3 -bit index position equals 010 in binary, 
and the values AP„ AP0,. AP*,*,,, and 010. represent 
the necessary information that must be stored on the bank 20 
card to allow the verification value V to be calculated. 
Referring now to Figure 3, there is a diagram illustrating the 
selected path for obtaining the root or verification value for 
this tree. The diagram shows the value of the index posi- 
tions for Tables 1, 2 and 3 and the associated AP value at 25 
each such position in each table. Thus, for the given 
example, the starting index position is 010 and the value of 
AP is AP„ The path traced through the tree is represented 
by the AP values enclosed in triangles whereas the AP 
values stored on the bank card are enclosed in rectangles. 30 
The rule for selecting the three values AP* AP 0,„ and 
AP***, is as follows. Starting with the index position of 
AP* i.e. 010, the rightmost bit is inverted and this 3-brt 
number 01 1 is used as the index position of the AP value 
selected from Table 3. This results in selecting AP,, since 35 
the index position of AP, in Table 3 is just 011. For 
convenience, let the value AP, selected from Table 3 be 
denoted by-Y, where the subscript on Y is the number of 
the table. The number 0n is now shifted one bit to the 
right, thus producing 01, and the rightmost bit is again 40 
inverted, and this 2-bit number 00 is used as the index 
position of the AP value selected from Table 2. This results 
in selecting AP0„ since the index position of AP0„ in 
Table 2 is just 00. For convenience, let the value AP0, 
selected from Table 2 be denoted by Y,. The number 00 is 45 
now shifted one more bit to the right, thus producing 0, and 
the rightmost bit is again inverted, and this 1-bit number 1 
is used as the index position of the AP value selected from 
Table 1. This results in selecting AP«,*», f since the index 
position of AP 4l$ ,t,r in Table i is just ±1. For convenience 50 
let the value AP*,,,,,, selected from Table 1 be denoted by 
Y,. Thus, the values Y,, Y„ Y, and the index position 010 
are the values which would be written on the bank card for 



the example where the associated AP value is AP„ In the 
case where n = 20 described above, La. where 1,048,576 
bank cards are issued to customers, each card would have 
stored on it the values Y20, Y,* .... Y„ and a 20-bit index 
position in Table 20 of the AP value to be authenticated. 
Thus, the amount of information stored on the bank card is 
variable and depends on the number of customer AP val- 
ues to be authenticated and therefore on the jsize of the 
authenticated and therefore on the size of the authentication 
tree so produced. 

Referring again to Figure 3, the calculation of the 
verification value V from AP, Y» Y* Y„ and the index 
position number (010 in the example) is as follows. This is 
the calculation performed in the EFT/POS terminal to au- 
thenticate a cardholder. The information on the card is, of 
course, first read into the EFT/POS terminal. If the rightmost 
bit of the index position is 0, then Y new is calculated with 
Equation 3 using as inputs Y m « AP and Y r i 0 hi - Y,. 
This is the calculation performed in the present example, 
since the rightmost bit of 010 is 0. On the other hand, if 
the rigrrtmost bit of the index position number is i, then 
Ynew is calculated with Equation 3 using as inputs Y W! « 
Y, and Y right - AP; that is, the assignment of values is 
reversed. Now the index position number is shifted one bit 
to the right which in the example illustrated in Figure 3, 
produces the value 01. If the rightmost bit of this shifted 
number is 0, then Ynew is calculated with Equation 3 using 
as inputs Y toft • Yow and Y rlghl - Y„ where Y^ is 
again the value of Y new produced in the previous step. This 
is the calculation performed in our present example, since 
the rightmost bit in the shifted number is 0. On the other 
hand, if the rightmost bit of the shifted number is 1, then 
Ynew is calculated with Equation 3 using as inputs Y^ » 
Y, and Yrig ht = Yoi d . Thus, the index position number 
stored on the card defines how each value of Yj, also 
stored on the card, is to be used in the calculation of Ynew 
using Equation e; Le. whether it is substituted for Y teft or for 
Vright'n Equation 3. Moreover, once this order of substitu- 
tion has been determined, either rAP or the value of Ynew 
produced at the previous step is substituted for the other 
parameter Y teft or Yrtgnt • The value of AP is used only at 
the first step in the calculation of V whereas a value of 
Yn«w is used in all subsequent steps in the calculation of V. 

The value C in Equation 3 is derived from the index 
position number stored on the bank card using the following 
algorithm. Let Q be a 64-bit constant and KA and KB two 
constant, non-secret cryptographic keys. Q, KA and KB are 
stored in each EFT/POS terminal and are universal con- 
stants whose values are established by the card issuer. If 
Xt, X fc X fc . . „ m denotes the index position number on the 
card, represented in binary, then these m bits are used to 
calculate the following m values of C: C„ C* . . C m , 
using Equation 4. 
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C i " E Ki E Ki-l E K1 (Q> f ° r 1 " l ' 2 '""" (4) 



where 



K » KA if X =0 
in m 

KB if X a 1 
m 



Vi aKA if Vi- * 

KB if X » 1 
m-J. 



K x = KA if X x - 0 
KB if 3 1 

30 

For example, if the index position number is 10110 
01101 10001 11010, then the following 20 values of C 
are calculated and used with Equation 3 to calculated V: 

35 



40 



50 
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CI 
C2 
C3 



KA 
E KB (C2) 



C19 =» 
C2J3 » 



E KB E KA E KB 
E KA E XB E KA E KB 



E KB E KA E KB 



(Q) 



^(018) 



E KB E KA E KB (S) ~ E KA iC19) 



25 



30 



35 



Twenty encryptions are required to calculate the 20 
values of C for a particular 20-bit index position number. 
C20 is used with Equation 3 to make the transition from 
level 20 to Ievell9 in the tree. C„ is used with Equation 3 
to make the transition from level 19 to level 18 in the tree, 
and so forth, there being a different value of C used at 
each fork in the tree. The reason for using different values 
of C is because of security. If a constant value of C were 
used at each fork in the tree, then an adversary could 
launch a birthday type of attack in which a set of 
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45 



values is calculated by chaining one value after the other 
unfcl there is a match with one of the actual values in 
the tree. By opening several accounts, an adversary could 
collect a fairly large set of such actual values and thus 
reduce his work factor by using the mentioned attack. 
However, by forcing different values of C, the attack is 
thwarted. 

For the authentication step at the EFT7P0S terminal 
assume that the information on the bank card is as follows: 



ID 
KP 
IPN 

Y 20' Y 19' 
VS 



User Identifier 
Secret Personal Key 
Non-secret Index Position No 
Non-secret Data to Calculate Y 
Verification Selection Number 



56 bits 
2? bits 
1120 bits 



The difference between secret and non-secret with 
regard to card data refers to how that data is treated when 
it resides somewhere off the card. By definition, the card 
must be protected if any data stored on the card is defined 
as secret Other non-secret data on the card receives the 
same degree of protection as the secret data It may be 
desirable to store a number of verification values and a 
positive file of PA values in each EFT/POS terminal and to 
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authenticate a card-holder using one of these verification 
values which is selected on the basis of a verification 
selection number stored on the cardholder's card or to 
authenticated the card-holder on the basis of a positive file 
or ap values. To account for the possibility that some 
customers will lose their cards or a compromise of either" 
meir card or PIN may occur, which will require a new card 
with a new AP value to be reissued to the card-holder, it 
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may be desirable to authenticate an AP value associated 
with a reissued card on the basis of a different verification 
value V. Each EFT/POS terminal therefore stores a value 
T, which is interpreted as follows. If the verification selection 
number VS is Jess than or equal to T, then the value of Vs 
is used by the terminal to select the verification value V to 
be used to authenticate the card-holder's AP value. 



Assume that the EFT/POS terminal stores the follow- 



ing: 



Q 


Non-secret Constant 


64 bits 


KA 


Non- secret Cryptographic Key 


56 bits 


KB - 


Non-secret Cryptographic Key 


56 bits 


V 


Verification Value 


56 bits 


KGbl - 


Secret Global Cryptographic Key 


56 bits 


T 


Number of Verification Values Stored in 


Terminal 



20 



It should, be noted that there may be multiple verifica- 
tion values depending on the particular implementatioa 

The steps involved in the authentication process are 
illustrated in Figure 4. First the card-holder enters his or 
her PIN into the EFT/POS terminal The card-holder also 
submits his or her bank card to the EFT/POS terminal as 
depicted in block 1. Then, in block 2, the terminal reads the 
quantities stored on the^card. Before proceeding with any 
calculations, a "hot list" is checked in block 3 to determine 
if the ID read from the card is valid. In decision block 4. a 
determination is made as to whether the Id is vafid, and if it 
is not then the reject indicator is set in block 5. An ID is 
invalid if a value equal to the value of the ID is found in the 
"hot list". Otherwise, the process continues to block .6. At 
this point, the EPIN is calculated from the Id. PIN and 
secret KGbl key using Equation 1. In addition AP is 
calculated from EPIN, KP and ID using Equation 2. A "hot 
list", which may be the same "hot list" mentioned above, is 
also checked to determine if the PA is invalid. The AP is 
invalid if a value equal to the value of AP is found in the 
"hot list". If the AP is invalid, then the reject indicator is set 
in block 5. Otherwise, the process continues to decision 
block 8 where a determination is made as to whether the 
verification selection number VS is greater than the value of 
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35 



40 



45 



T stored in the EFT/POS terminal. If it is, then the card- 
-holder is authenticated on the basis of a positive file in 
block 9 instead of on the basis of a verification value V. 
Such a file can be implemented by storing in the positive 
file the values of ID and AP for each such user to be 
authenticated by the positive fila in decision block 10, a 
determination is made as to whether a positive authentica- 
tion is made from the file, and if not, then a reject indicator 
is set in block 5. More particularly, the card-holder's ID is 
first used to access and obtain a corresponding AP value 
stored in the positive file, and the card-holder is then 
authenticated by comparing this AP of reference value for 
equality with the AP value calculated om block 6. 

Returning to block 8, if the verification selection num- 
ber is less than or equal to T, then the constants C», C* . . 

Ca0 are calculated, in that order using Equation 4. from 
Q. KA, KB, and the index position number (IPN) read from 
the card, and these generated quantities are stored in a 
table and later accessed when calculating V. Once the 
constants C, have all been calculated, V is calculated from 
AP, Y20, Y*. ; . ., Y„ C20.C*..... C„ and the 20-bit 
index position number represented by IPN * X,, X„ . . 
X20 using Equation 3 repeatedly, as follows: 

Right56[Y, B it ® E R^ht56lC20](Yi a tt)) =U 2 0 
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Right56[Y . © E (Y ) 1 
right U20 U right' J 



where Y » AP and Y . « y if X 

left right 2)3 20 



° r Y left ' Y 2* and Y right * » if X 2* 



Right56[Y. _ e E . (v 11 

left Right56[C19] U left ;j 



Right56[Y , . © E _(Y )1 
right U19 v right' J 



where Y, - • Y and Y . = y if X 

left new!9 u right 19 A 19 



° r Y left = Y 19 and y right = Y aewl9 if X 19 



Right56[Y, © E . , rv n 

left Right56(C18] U left' J 



Right56 [Y . . © E (Y ) 1 
right w *U18 1 right' J 



where Y, _ = Y and Y « Y if x 

left newl8 na right Y 18 £ X 18 



° r Y left - Y 18 and Y right ' Y newl8 if X 18 



16 



new!9 



19 



new!8 



18 



new!7 



Right56[Y, - © E . ^ (Y )1 

left " Right56[Cl] u left' J 



Ul 



Right56[Y . . . © E (Y )] 
right Ul K right' J 



where Y, _ - y and Y « Y if x 

left newl auu right 1 r *1 



or Y 



left 



Y. and Y . . 
1 right 



The foregoing calculations are made in block 12. The 
verification selection number is decoded at block 13 to 
select a particular one of the T global reference values 
stored at the terminal Then in decision block u a deter- 
mination is made as to whether the calculated value of V is 



Y newl if X l 



65 



equal to the particular selected global reference value 
stored in the terminal. If it is not. then the reject indicator is 
set in block 5. Otherwise, accept indicator is set in block 
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Returning briefly to decision block 13, by way of exam- 
ple, let T « 2. Then if the verification selection number is 
1, a first global reference value is used in making the 
determination to authenticate the user. However, if the 
verification selection number is 2, . then a second global 
reference value is "used. As already described with refer- 
ence to decision block 8, if the verification selection number 
is greater than 2, the user is authenticated on the basis of a 
positive file in block 9. Obviously, the numbers chosen here 
are governed by practical considerations, and those skilled 
in the art will recognise that these are open to modification. 

Summarising, the described method has the following 
security properties: First, compromising a card dees not 
compromise the PIN. Second, compromising the global se- 
cret key does not compromise the PIN nor does it allow 
someone to forge , cards and defraud the system. The 
process of personal authentication is based on a non-secret 
global value stored in each EFT/POS terminal. Added PIN 
protection is achieved through the use of the global secret 
key also stored in each EFT/POS terminal. Compromising 
this key does not by itself compromise PINs. The justifica- 
tion for employing a global secret key is that with short 
PINs, there is no way to maintain PIN secrecy if a user's 
card is compromised and the EFT/POS terminal stores only 
non-secret quantities. Although a global secret key has a 
decided disadvantage, it is better to employ such a key 
when there is no other alternative to strengthen PIN se- 
crecy, especially when it can be anticipated that many user 
cards will be lost and thus fall into the hands of potential 
adversaries. As long as the integrity of the global non- 
-secret verification value in the EFT/POS terminal is main- 
tained, there is no global attach against the system. Even if 
the integrity of a terminal is compromised, then only that 
one terminal can be attacked. Since the global secret key 
does not lead to a global attack against the system, there is 
less motivation, for an opponent to go after it 

As described a "hot list" is required with the rjrocedure 
according to the invention. THis is no different than what 
would be required with a public key solution or with a DES 
solution involving only a global secret key for user authen- 
tication. The "hot list" is needed because the bank has to 
have a way to invalidate an account For example, an 
opponent could open an account under a phony name and 
then proceed to duplicate his card and sell the cards and 
PINs for profit 

A user's PIN can be changed, but this involves reissu- 
ing the customer's bank card. Basically, when the PIN is 
changed, compensating changes must be made on the 
bank card which involves recalculation of an offset or cer- 
tain non-secret parameters on the card. If a user's card and 
PIN have been compromised, then a new card and PIN 
must be issued. In this case, an entry on the "hot list" must 
be made to effectively invalidate the authentication informa- 
tion stored on that card and the user's PIN. This does not 
necessarily mean that the ID is invalidated. The method is 
such that a customer's assigned ID can remain the same 
even if a new card and PIN are issued, although it is more 
efficient if a new ID is issued. 

While the invention has been described in terms of a 
preferred embodiment in the environment of a banking 
multi-terminal network, those skilled in the art will recognise 
that the principles of the invention can be practiced in other 
environments where it is desired to provide for the offline 
personal authentication of users of a system. For example, 
the invention could be used in a security system that would 
allow access to secure areas only to users of the system 



who are properly authenticated at a terminal. The important 
feature of the invention is the use of an authentication tree 
with an authentication tree function comprising a one-way 
function. 

5 

Claims 



1. A method of offline personal identification in and to a 
10 multiterminal data processing system, the method using an 
authentication tree with a one-way authentication tree func- 
tion, a stored global secret key, a stored global verification 
value of reference, a personal identification number entered 
directly by the potential user and a personal key and an 
15 index position number entered via a card previously issued 
to the potential user, the index position number representing 
the tree path for the user to whom the card was issued, 
characterised in that 

20 

a) an authentication parameter is calculated as a function of 
the personal key and the personal identification number; 

b) mapping the parameter to a verification value using the 
25 index position number in the one way function to the root of 

the tree; 

c) companng the verification value obtained by the mapping 
with the stored global verification value of reference; and 

30 

d) enabting the system in respect of transaction execution if 
the comparison meets predetermined criteria. 

35 2.A method as claimed in claim 1 wherein the step of 
mapping is performed by first calculating a different code 
word for each node of the authentication tree and then 
using the different code words at the iteration of each node. 

40 3. A method as claimed in claim 2 further comprising the 
step of storing, in each terminal, values of Q, an m-bit 
constant and KA and KB, two non-secret cryptographic 
keys, the calculation of a different codeword for each node 
being a function of Q, KA and KB and the index position 

46 number stored on the user's card. 

4. A method as claimed in claim 3 wherein the step of 
calculating an authentication . parameter is performed by the 
steps of:- 

50 

calculating an encrypted personal identification number - 
(PIN), denoted EPIN, by the equation 

EPIN - E K Gbi(Epi N (ID)) 

55 

where KGbt is a global secret key stored in each terminal 
and ID is a user identification; and 

calculating an authentification parameter AP by the equation 
60 AP * Right56[E K p©EPIN(ID) © ID] 

where KP is the user's personal key stored on the card, the 
symbol represents an Exclusive OR operation, and 
H Right56" is a function that extracts the rightmost 56 bits in 
65 the binary variable denoted by the argument of the function. 

5. A method as claimed in claim 4 wherein there is further 
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stored, on the card, m values Y„ y„ . Y« to be 
au^tksted and the step of mapping is perform* by the 
step of calculating the verification value V from AP. me m 
values and the tree function by the equations 



Right56[Y 



left 



E Right56[Ci] (Y lef t } ] 



Right56(Y 



right 



Wight" 



- Y 



new 



where Y, elt and Y rigftt are two values in the tree path and 
Ci are different values of the code word calculated for each 
deration at each node of the tree function and the last Y^ 
in ihft iteration is the verification value V. 

6. A method as claimed in daim 5 wherein the values of Ci 
are calculated by the equation 

Ci« EkiEkm ... Eki(Q) for i « l ,2...., m where K, = KA if 

X, - 0 and K, -KB if X, - i and X„ X,. X, X m 

o^note binary bits stored on the user's card which represent 
the index position number. 



75 



20 



7. A method as claimed in any of claims 4 to 6 wherein the 
user identifier ID is additionally stored on the user's card 
the method further comprising the step of checking the user 
identifier read from the user's card against a list to deter- 
mine if the ID is invalid, and, if it is. inhibiting the transac- 
tion. 

8. A method as claimed in claim 7 wherein, after calculating 
the authentication parameter, a list is checked to determine 
if the authentication parameter is invalid and, if it is so 
inhibiting the transaction. 
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ONE-WAY FUNCTION MAPPING TWO 5S-8IT VALUES TO ONE 56-BIT VALUE 



FIG. 2 
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NOTE: INDEX POSITION IS REPRESENTED AS A BINARY NUM8ER. 
VALUES STORED IN TABLES 1,2 AND 3 WHERE n - 3 . 
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NOTE-. INDEX POSITION IS REPRESENTED AS A BINARY NUMBER 
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